[Freeipa-users] 4.1.4 and OTP

Nathaniel McCallum npmccallum at redhat.com
Tue Apr 28 13:44:39 UTC 2015 

On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote:
> On 4/17/15 5:59 PM, Dmitri Pal wrote:
> > On 04/17/2015 08:07 PM, Janelle wrote:
> > > 
> > > 
> > > 
> > > 
> > > On Apr 17, 2015, at 16:36, Dmitri Pal <dpal at redhat.com> wrote:
> > > 
> > > > On 04/17/2015 04:52 PM, Janelle wrote:
> > > > >  On 4/17/15 1:19 PM, Dmitri Pal wrote:
> > > > > > On 04/17/2015 01:20 PM, Janelle wrote: 
> > > > > > > On 4/17/15 9:53 AM, Dmitri Pal wrote: 
> > > > > > > > On 04/17/2015 11:16 AM, Janelle wrote: 
> > > > > > > > > Hi, 
> > > > > > > > > 
> > > > > > > > > Is anyone else having issues with OTP since 
> > > > > > > > > upgrading? For the life of me I can't get it to 
> > > > > > > > > accept "Sync" for the tokens. No matter what is put 
> > > > > > > > > in, it just keeps saying the username, password or 
> > > > > > > > > tokens entered  are incorrect. 
> > > > > > > > > 
> > > > > > > > > To make it simple - I am tryign this on a brand new 
> > > > > > > > > CentOS 7.1 system with a clean/fresh install of 
> > > > > > > > > FreeIPA 4.1.4 and yet it just refuses to work. 
> > > > > > > > > 
> > > > > > > > > I create a user -- configure them. They work just 
> > > > > > > > > fine with a password. Then add a token. Sync with 
> > > > > > > > > FreeOTP and that all works. Then going back to the 
> > > > > > > > > web UI and do Sync OTP and it simply refuses to 
> > > > > > > > > accept any values. And yet the same user can login 
> > > > > > > > > to the regular web UI with their password. 
> > > > > > > > > 
> > > > > > > > > I have tried setting the user to both Password and 
> > > > > > > > > OTP for auth methods. And also just OTP and nothing 
> > > > > > > > > works. 
> > > > > > > > Please look in the logs to see what is going on. 
> > > > > > > > You would need to look at the KDC, http and DS logs on 
> > > > > > > > the server to sort out what is going on. 
> > > > > > > > 
> > > > > > > > Do you change the password for the user first after 
> > > > > > > > creating him? 
> > > > > > > > 
> > > > > > > > Can you reproduce the problem with demo instance? 
> > > > > > > > http://www.freeipa.org/page/Demo 
> > > > > > > > If you can then we can take a look at the logs right 
> > > > > > > > away. 
> > > > > > > > Hints? Am I missing  a step? 
> > > > > > > > 
> > > > > > > > ~J 
> > > > > > > > 
> > > > > > > It appears to be the UI. If I go through the steps and 
> > > > > > > let it "fail", I can still login using OTP to servers. I 
> > > > > > > made the assumption that the error itself was not an 
> > > > > > > error.. :-) 
> > > > > > > 
> > > > > > > ~J 
> > > > > > > 
> > > > > > I am not sure I get what you are saying. Do you still see 
> > > > > > the problem or you misinterpreted the UI and now the 
> > > > > > problem is gone? If you did is there any recommendation 
> > > > > > how to improve the UI not to confuse people? 
> > > > > > 
> > > > > The problem exists -- this is what it shows:
> > > > > HOWEVER, it is still WORKING. Meaning, even if you get this 
> > > > > error, if you attempt to login with your FreeOTP token, it 
> > > > > WORKS.
> > > > > 
> > > > > ~J
> > > > > 
> > > > > <mime-attachment.png>
> > > > > 
> > > > > 
> > > > Does it give you this error when you use password or password 
> > > > and token?
> > > > Can you please describe the flow of steps in more details?
> > > > I start browser, go here, click here, enter this, etc.
> > > > 
> > > > Are you using SSSD to login to servers? Is SSSD configured 
> > > > with IPA provider or you configured it for LDAP manually. 
> > > > There is a difference between LDAP and Kerberos authentication.
> > > > 
> > > > May be the following article will help you to understand the 
> > > > expectations:
> > > > https://access.redhat.com/documentation/en
> > > > -US/Red_Hat_Enterprise_Linux/7/html/System
> > > > -Level_Authentication_Guide/authconfig-addl-auth.html#enable
> > > > -otp
> > > > 
> > > > 
> > > > 
> > > Simple. And my test made it simple.
> > > Stand up new vm running fc21/freeipa.
> > > Configure user.
> > > Add password.
> > > Add token.
> > > 
> > > Login to the vm with the user created using password. Kerberos 
> > > ticket assigned, all is well.
> > > 
> > > Login to web interface with admin. Change user to OTP only.
> > > Go to web UI and click sync OTP. 
> > > Enter username, password and 2 OTP sequences. Click sync. Error 
> > > appears.
> > > 
> > > Now, ssh to same vm using OTP username. Enter password + OTP 
> > > value.
> > > Login successful.
> > I can reproduce this issue with demo instance.
> > I will file a bug later today.
> > I think it is a bug with sync.
> > Which token do you use time based or event based?
> TOTP... 
> 
> Hmm, makes me wonder - with HOTP fail the same? Off to try it.

This should just affect TOTP. I have posted a patch that should fix
this problem. Are you able to test it?

https://www.redhat.com/archives/freeipa-devel/2015-April/msg00282.html

> ~J
> 
> PS - is there a way to sync a token from command line? I can't think 
> of a way, but maybe...

ipa otptoken-sync

Nathaniel

More information about the Freeipa-users mailing list